Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

NLP Verification: Towards a General Methodology for Certifying Robustness

Marco Casadio, Tanvi Dinkar, Ekaterina Komendantskaya, Luca Arnaboldi, Matthew L. Daggitt, Omri Isac, Guy Katz, Verena Rieser, Oliver Lemon

TL;DR

The paper tackles the challenge of certifying robustness in NLP systems by exposing the embedding gap between geometric verification in $\mathbb{R}^m$ and sentence semantics. It proposes a modular NLP verification pipeline that centralizes semantic perturbations, embedding-space analysis, semantic subspaces, semantically robust training, and SMT-based verification, grounded by a novel embedding-error metric. Empirically, semantic subspaces outperform purely geometric ones in verifiability and generalisability, and adversarial training on semantic subspaces further enhances both, enabling more practical deployment. The work introduces ANTONIO as a benchmarking tool, validates the approach on safety-critical datasets (R-U-A-Robot and Medical safety), and discusses limitations and future directions, including scalability and the integration of verified filters with NLP systems for real-world safety guarantees.

Abstract

Machine Learning (ML) has exhibited substantial success in the field of Natural Language Processing (NLP). For example large language models have empirically proven to be capable of producing text of high complexity and cohesion. However, they are prone to inaccuracies and hallucinations. As these systems are increasingly integrated into real-world applications, ensuring their safety and reliability becomes a primary concern. There are safety critical contexts where such models must be robust to variability or attack, and give guarantees over their output. Computer Vision had pioneered the use of formal verification of neural networks for such scenarios and developed common verification standards and pipelines, leveraging precise formal reasoning about geometric properties of data manifolds. In contrast, NLP verification methods have only recently appeared in the literature. While presenting sophisticated algorithms, these papers have not yet crystallised into a common methodology. They are often light on the pragmatical issues of NLP verification and the area remains fragmented. In this paper, we attempt to distil and evaluate general components of an NLP verification pipeline, that emerges from the progress in the field to date. Our contributions are two-fold. Firstly, we propose a general methodology to analyse the effect of the embedding gap, a problem that refers to the discrepancy between verification of geometric subspaces and the semantic meaning of sentences, which the geometric subspaces are supposed to represent. We propose a number of practical NLP methods that can help to quantify the effects of the embedding gap. Secondly, we give a general method for training and verification of neural networks that leverages a more precise geometric estimation of semantic similarity of sentences in the embedding space and helps to overcome the effects of the embedding gap in practice.

NLP Verification: Towards a General Methodology for Certifying Robustness

TL;DR

The paper tackles the challenge of certifying robustness in NLP systems by exposing the embedding gap between geometric verification in and sentence semantics. It proposes a modular NLP verification pipeline that centralizes semantic perturbations, embedding-space analysis, semantic subspaces, semantically robust training, and SMT-based verification, grounded by a novel embedding-error metric. Empirically, semantic subspaces outperform purely geometric ones in verifiability and generalisability, and adversarial training on semantic subspaces further enhances both, enabling more practical deployment. The work introduces ANTONIO as a benchmarking tool, validates the approach on safety-critical datasets (R-U-A-Robot and Medical safety), and discusses limitations and future directions, including scalability and the integration of verified filters with NLP systems for real-world safety guarantees.

Abstract

Machine Learning (ML) has exhibited substantial success in the field of Natural Language Processing (NLP). For example large language models have empirically proven to be capable of producing text of high complexity and cohesion. However, they are prone to inaccuracies and hallucinations. As these systems are increasingly integrated into real-world applications, ensuring their safety and reliability becomes a primary concern. There are safety critical contexts where such models must be robust to variability or attack, and give guarantees over their output. Computer Vision had pioneered the use of formal verification of neural networks for such scenarios and developed common verification standards and pipelines, leveraging precise formal reasoning about geometric properties of data manifolds. In contrast, NLP verification methods have only recently appeared in the literature. While presenting sophisticated algorithms, these papers have not yet crystallised into a common methodology. They are often light on the pragmatical issues of NLP verification and the area remains fragmented. In this paper, we attempt to distil and evaluate general components of an NLP verification pipeline, that emerges from the progress in the field to date. Our contributions are two-fold. Firstly, we propose a general methodology to analyse the effect of the embedding gap, a problem that refers to the discrepancy between verification of geometric subspaces and the semantic meaning of sentences, which the geometric subspaces are supposed to represent. We propose a number of practical NLP methods that can help to quantify the effects of the embedding gap. Secondly, we give a general method for training and verification of neural networks that leverages a more precise geometric estimation of semantic similarity of sentences in the embedding space and helps to overcome the effects of the embedding gap in practice.
Paper Structure (44 sections, 11 equations, 7 figures, 32 tables)

This paper contains 44 sections, 11 equations, 7 figures, 32 tables.

Table of Contents

  1. Introduction
  2. Contributions Part 1: Characterisation of Verifiable Subspaces and general
  3. Contributions Part 2: NLP Verification Pipeline in Use: an NLP Perspective on the Embedding Gap.
  4. Related Work
  5. DNN Verification
  6. Geometric Representations in DNN Verification
  7. Robust Training
  8. NLP robustness
  9. Datasets and Use Cases Used in NLP Verification
  10. Datasets Proposed in This Paper
  11. Previous NLP Verification Approaches
  12. The Parametric NLP Verification Pipeline
  13. Semantic Perturbations
  14. NLP Embeddings
  15. Geometric Analysis of Embedding Spaces
  16. ...and 29 more sections

Figures (7)

  • Figure 1: An example of verifiable but not generalisable $\epsilon\text{-balls}$ (a), convex-hull around selected embedded points (b), hyper-rectangle around same points (c) and rotation of such hyper-rectangle (d) in 2-dimensions. The red dots represent sentences in the embedding space from the training set belonging to one class, while the turquoise dots are embedded sentences from the test set belonging to the same class.
  • Figure 2: Visualisation of the NLP verification pipeline followed in our approach.
  • Figure 3: An example of hyper-rectangle drawn around all points of the same class (a), shrunk hyper-rectangle $\mathbb{H}_{sh}$ that is obtained by excluding all points from the opposite class (b) and clustered hyper-rectangles (c) in 2-dimensions. The red dots represent sentences in the embedding space of one class, while the blue dots are embedded sentences that do not belong to that class.
  • Figure 4: Tool ANTONIO that implements a modular approach to the NLP verification pipeline used in this paper.
  • Figure 5: Zero-shot prompts with 2 basic examples from the R-U-A-Robot dataset. Answers from vicuna-13b are given in italics. A1 and A2 represent different answers to the same prompt, illustrating a lack of consistency in the output.
  • ...and 2 more figures

Theorems & Definitions (12)

  • Definition 1: Convex Set
  • Definition 2: Convex Hull
  • Definition 3: Zonotope
  • Definition 4: Interval (aka Hyper-Rectangle)
  • Definition 5: Hyper-rectangle for an Embedding Matrix
  • Example 1: $\epsilon\text{-cube}$ and $\epsilon\text{-ball}$
  • Definition 6: Semantic Subspace for a Sentence
  • Example 2: Construction of Semantic Subspaces
  • Definition 7: Verifiability
  • Definition 8: Generalisability
  • ...and 2 more